1. 01 Jul, 2022 1 commit
    • Will Deacon's avatar
      arm64: hugetlb: Restore TLB invalidation for BBM on contiguous ptes · 41098230
      Will Deacon authored
      Commit fb396bb4 ("arm64/hugetlb: Drop TLB flush from get_clear_flush()")
      removed TLB invalidation from get_clear_flush() [now get_clear_contig()]
      on the basis that the core TLB invalidation code is aware of hugetlb
      mappings backed by contiguous page-table entries and will cover the
      correct virtual address range.
      
      However, this change also resulted in the TLB invalidation being removed
      from the "break" step in the break-before-make (BBM) sequence used
      internally by huge_ptep_set_{access_flags,wrprotect}(), therefore
      making the BBM sequence unsafe irrespective of later invalidation.
      
      Although the architecture is desperately unclear about how exactly
      contiguous ptes should be updated in a live page-table, restore TLB
      invalidation to our BBM sequence under the assumption that BBM is the
      right thing to be doing in the first place.
      
      Fixes: fb396bb4 ("arm64/hugetlb: Drop TLB flush from get_clear_flush()")
      Cc: Ard Biesheuvel <ardb@kernel.org>
      Cc: Steve Capper <steve.capper@arm.com>
      Cc: Anshuman Khandual <anshuman.khandual@arm.com>
      Cc: Mike Kravetz <mike.kravetz@oracle.com>
      Cc: Marc Zyngier <maz@kernel.org>
      Signed-off-by: default avatarWill Deacon <will@kernel.org>
      Reviewed-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Reviewed-by: default avatarAnshuman Khandual <anshuman.khandual@arm.com>
      Link: https://lore.kernel.org/r/20220629095349.25748-1-will@kernel.orgSigned-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      41098230
  2. 17 Jun, 2022 1 commit
  3. 16 Jun, 2022 1 commit
  4. 15 Jun, 2022 4 commits
    • Mark Rutland's avatar
      arm64: ftrace: remove redundant label · 0d8116cc
      Mark Rutland authored
      Since commit:
      
        c4a0ebf8 ("arm64/ftrace: Make function graph use ftrace directly")
      
      The 'ftrace_common_return' label has been unused.
      
      Remove it.
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Chengming Zhou <zhouchengming@bytedance.com>
      Cc: Will Deacon <will@kernel.org>
      Tested-by: default avatar"Ivan T. Ivanov" <iivanov@suse.de>
      Reviewed-by: default avatarChengming Zhou <zhouchengming@bytedance.com>
      Reviewed-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Link: https://lore.kernel.org/r/20220614080944.1349146-4-mark.rutland@arm.comSigned-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      0d8116cc
    • Mark Rutland's avatar
      arm64: ftrace: consistently handle PLTs. · a6253579
      Mark Rutland authored
      Sometimes it is necessary to use a PLT entry to call an ftrace
      trampoline. This is handled by ftrace_make_call() and ftrace_make_nop(),
      with each having *almost* identical logic, but this is not handled by
      ftrace_modify_call() since its introduction in commit:
      
        3b23e499 ("arm64: implement ftrace with regs")
      
      Due to this, if we ever were to call ftrace_modify_call() for a callsite
      which requires a PLT entry for a trampoline, then either:
      
      a) If the old addr requires a trampoline, ftrace_modify_call() will use
         an out-of-range address to generate the 'old' branch instruction.
         This will result in warnings from aarch64_insn_gen_branch_imm() and
         ftrace_modify_code(), and no instructions will be modified. As
         ftrace_modify_call() will return an error, this will result in
         subsequent internal ftrace errors.
      
      b) If the old addr does not require a trampoline, but the new addr does,
         ftrace_modify_call() will use an out-of-range address to generate the
         'new' branch instruction. This will result in warnings from
         aarch64_insn_gen_branch_imm(), and ftrace_modify_code() will replace
         the 'old' branch with a BRK. This will result in a kernel panic when
         this BRK is later executed.
      
      Practically speaking, case (a) is vastly more likely than case (b), and
      typically this will result in internal ftrace errors that don't
      necessarily affect the rest of the system. This can be demonstrated with
      an out-of-tree test module which triggers ftrace_modify_call(), e.g.
      
      | # insmod test_ftrace.ko
      | test_ftrace: Function test_function raw=0xffffb3749399201c, callsite=0xffffb37493992024
      | branch_imm_common: offset out of range
      | branch_imm_common: offset out of range
      | ------------[ ftrace bug ]------------
      | ftrace failed to modify
      | [<ffffb37493992024>] test_function+0x8/0x38 [test_ftrace]
      |  actual:   1d:00:00:94
      | Updating ftrace call site to call a different ftrace function
      | ftrace record flags: e0000002
      |  (2) R
      |  expected tramp: ffffb374ae42ed54
      | ------------[ cut here ]------------
      | WARNING: CPU: 0 PID: 165 at kernel/trace/ftrace.c:2085 ftrace_bug+0x280/0x2b0
      | Modules linked in: test_ftrace(+)
      | CPU: 0 PID: 165 Comm: insmod Not tainted 5.19.0-rc2-00002-g4d9ead8b45ce #13
      | Hardware name: linux,dummy-virt (DT)
      | pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
      | pc : ftrace_bug+0x280/0x2b0
      | lr : ftrace_bug+0x280/0x2b0
      | sp : ffff80000839ba00
      | x29: ffff80000839ba00 x28: 0000000000000000 x27: ffff80000839bcf0
      | x26: ffffb37493994180 x25: ffffb374b0991c28 x24: ffffb374b0d70000
      | x23: 00000000ffffffea x22: ffffb374afcc33b0 x21: ffffb374b08f9cc8
      | x20: ffff572b8462c000 x19: ffffb374b08f9000 x18: ffffffffffffffff
      | x17: 6c6c6163202c6331 x16: ffffb374ae5ad110 x15: ffffb374b0d51ee4
      | x14: 0000000000000000 x13: 3435646532346561 x12: 3437336266666666
      | x11: 203a706d61727420 x10: 6465746365707865 x9 : ffffb374ae5149e8
      | x8 : 336266666666203a x7 : 706d617274206465 x6 : 00000000fffff167
      | x5 : ffff572bffbc4a08 x4 : 00000000fffff167 x3 : 0000000000000000
      | x2 : 0000000000000000 x1 : ffff572b84461e00 x0 : 0000000000000022
      | Call trace:
      |  ftrace_bug+0x280/0x2b0
      |  ftrace_replace_code+0x98/0xa0
      |  ftrace_modify_all_code+0xe0/0x144
      |  arch_ftrace_update_code+0x14/0x20
      |  ftrace_startup+0xf8/0x1b0
      |  register_ftrace_function+0x38/0x90
      |  test_ftrace_init+0xd0/0x1000 [test_ftrace]
      |  do_one_initcall+0x50/0x2b0
      |  do_init_module+0x50/0x1f0
      |  load_module+0x17c8/0x1d64
      |  __do_sys_finit_module+0xa8/0x100
      |  __arm64_sys_finit_module+0x2c/0x3c
      |  invoke_syscall+0x50/0x120
      |  el0_svc_common.constprop.0+0xdc/0x100
      |  do_el0_svc+0x3c/0xd0
      |  el0_svc+0x34/0xb0
      |  el0t_64_sync_handler+0xbc/0x140
      |  el0t_64_sync+0x18c/0x190
      | ---[ end trace 0000000000000000 ]---
      
      We can solve this by consistently determining whether to use a PLT entry
      for an address.
      
      Note that since (the earlier) commit:
      
        f1a54ae9 ("arm64: module/ftrace: intialize PLT at load time")
      
      ... we can consistently determine the PLT address that a given callsite
      will use, and therefore ftrace_make_nop() does not need to skip
      validation when a PLT is in use.
      
      This patch factors the existing logic out of ftrace_make_call() and
      ftrace_make_nop() into a common ftrace_find_callable_addr() helper
      function, which is used by ftrace_make_call(), ftrace_make_nop(), and
      ftrace_modify_call(). In ftrace_make_nop() the patching is consistently
      validated by ftrace_modify_code() as we can always determine what the
      old instruction should have been.
      
      Fixes: 3b23e499 ("arm64: implement ftrace with regs")
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Ard Biesheuvel <ardb@kernel.org>
      Cc: Will Deacon <will@kernel.org>
      Tested-by: default avatar"Ivan T. Ivanov" <iivanov@suse.de>
      Reviewed-by: default avatarChengming Zhou <zhouchengming@bytedance.com>
      Reviewed-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Link: https://lore.kernel.org/r/20220614080944.1349146-3-mark.rutland@arm.comSigned-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      a6253579
    • Mark Rutland's avatar
      arm64: ftrace: fix branch range checks · 3eefdf9d
      Mark Rutland authored
      The branch range checks in ftrace_make_call() and ftrace_make_nop() are
      incorrect, erroneously permitting a forwards branch of 128M and
      erroneously rejecting a backwards branch of 128M.
      
      This is because both functions calculate the offset backwards,
      calculating the offset *from* the target *to* the branch, rather than
      the other way around as the later comparisons expect.
      
      If an out-of-range branch were erroeously permitted, this would later be
      rejected by aarch64_insn_gen_branch_imm() as branch_imm_common() checks
      the bounds correctly, resulting in warnings and the placement of a BRK
      instruction. Note that this can only happen for a forwards branch of
      exactly 128M, and so the caller would need to be exactly 128M bytes
      below the relevant ftrace trampoline.
      
      If an in-range branch were erroeously rejected, then:
      
      * For modules when CONFIG_ARM64_MODULE_PLTS=y, this would result in the
        use of a PLT entry, which is benign.
      
        Note that this is the common case, as this is selected by
        CONFIG_RANDOMIZE_BASE (and therefore RANDOMIZE_MODULE_REGION_FULL),
        which distributions typically seelct. This is also selected by
        CONFIG_ARM64_ERRATUM_843419.
      
      * For modules when CONFIG_ARM64_MODULE_PLTS=n, this would result in
        internal ftrace failures.
      
      * For core kernel text, this would result in internal ftrace failues.
      
        Note that for this to happen, the kernel text would need to be at
        least 128M bytes in size, and typical configurations are smaller tha
        this.
      
      Fix this by calculating the offset *from* the branch *to* the target in
      both functions.
      
      Fixes: f8af0b36 ("arm64: ftrace: don't validate branch via PLT in ftrace_make_nop()")
      Fixes: e71a4e1b ("arm64: ftrace: add support for far branches to dynamic ftrace")
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Ard Biesheuvel <ardb@kernel.org>
      Cc: Will Deacon <will@kernel.org>
      Tested-by: default avatar"Ivan T. Ivanov" <iivanov@suse.de>
      Reviewed-by: default avatarChengming Zhou <zhouchengming@bytedance.com>
      Reviewed-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Link: https://lore.kernel.org/r/20220614080944.1349146-2-mark.rutland@arm.comSigned-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      3eefdf9d
    • Catalin Marinas's avatar
      Revert "arm64: Initialize jump labels before setup_machine_fdt()" · 27d8fa20
      Catalin Marinas authored
      This reverts commit 73e2d827.
      
      The reverted patch was needed as a fix after commit f5bda35f
      ("random: use static branch for crng_ready()"). However, this was
      already fixed by 60e5b288 ("random: do not use jump labels before
      they are initialized") and hence no longer necessary to initialise jump
      labels before setup_machine_fdt().
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      27d8fa20
  5. 12 Jun, 2022 10 commits
  6. 11 Jun, 2022 9 commits
    • Linus Torvalds's avatar
      Merge tag 'gpio-fixes-for-v5.19-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux · 7a68065e
      Linus Torvalds authored
      Pull gpio fixes from Bartosz Golaszewski:
       "A set of fixes. Most address the new warning we emit at build time
        when irq chips are not immutable with some additional tweaks to
        gpio-crystalcove from Andy and a small tweak to gpio-dwapd.
      
         - make irq_chip structs immutable in several Diolan and intel drivers
           to get rid of the new warning we emit when fiddling with irq chips
      
         - don't print error messages on probe deferral in gpio-dwapb"
      
      * tag 'gpio-fixes-for-v5.19-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
        gpio: dwapb: Don't print error on -EPROBE_DEFER
        gpio: dln2: make irq_chip immutable
        gpio: sch: make irq_chip immutable
        gpio: merrifield: make irq_chip immutable
        gpio: wcove: make irq_chip immutable
        gpio: crystalcove: Join function declarations and long lines
        gpio: crystalcove: Use specific type and API for IRQ number
        gpio: crystalcove: make irq_chip immutable
      7a68065e
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · cecb3540
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Driver fixes and and one core patch.
      
        Nine of the driver patches are minor fixes and reworks to lpfc and the
        rest are trivial and minor fixes elsewhere"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: pmcraid: Fix missing resource cleanup in error case
        scsi: ipr: Fix missing/incorrect resource cleanup in error case
        scsi: mpt3sas: Fix out-of-bounds compiler warning
        scsi: lpfc: Update lpfc version to 14.2.0.4
        scsi: lpfc: Allow reduced polling rate for nvme_admin_async_event cmd completion
        scsi: lpfc: Add more logging of cmd and cqe information for aborted NVMe cmds
        scsi: lpfc: Fix port stuck in bypassed state after LIP in PT2PT topology
        scsi: lpfc: Resolve NULL ptr dereference after an ELS LOGO is aborted
        scsi: lpfc: Address NULL pointer dereference after starget_to_rport()
        scsi: lpfc: Resolve some cleanup issues following SLI path refactoring
        scsi: lpfc: Resolve some cleanup issues following abort path refactoring
        scsi: lpfc: Correct BDE type for XMIT_SEQ64_WQE in lpfc_ct_reject_event()
        scsi: vmw_pvscsi: Expand vcpuHint to 16 bits
        scsi: sd: Fix interpretation of VPD B9h length
      cecb3540
    • Linus Torvalds's avatar
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · abe71eb3
      Linus Torvalds authored
      Pull virtio fixes from Michael Tsirkin:
       "Fixes all over the place, most notably fixes for latent bugs in
        drivers that got exposed by suppressing interrupts before DRIVER_OK,
        which in turn has been done by 8b4ec69d ("virtio: harden vring
        IRQ")"
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
        um: virt-pci: set device ready in probe()
        vdpa: make get_vq_group and set_group_asid optional
        virtio: Fix all occurences of the "the the" typo
        vduse: Fix NULL pointer dereference on sysfs access
        vringh: Fix loop descriptors check in the indirect cases
        vdpa/mlx5: clean up indenting in handle_ctrl_vlan()
        vdpa/mlx5: fix error code for deleting vlan
        virtio-mmio: fix missing put_device() when vm_cmdline_parent registration failed
        vdpa/mlx5: Fix syntax errors in comments
        virtio-rng: make device ready before making request
      abe71eb3
    • Linus Torvalds's avatar
      Merge tag 'loongarch-fixes-5.19-1' of... · 0678afa6
      Linus Torvalds authored
      Merge tag 'loongarch-fixes-5.19-1' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson
      
      Pull LoongArch fixes from Huacai Chen.
       "Fix build errors and a stale comment"
      
      * tag 'loongarch-fixes-5.19-1' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson:
        LoongArch: Remove MIPS comment about cycle counter
        LoongArch: Fix copy_thread() build errors
        LoongArch: Fix the !CONFIG_SMP build
      0678afa6
    • Linus Torvalds's avatar
      iov_iter: fix build issue due to possible type mis-match · 1c27f1fc
      Linus Torvalds authored
      Commit 6c776766 ("iov_iter: Fix iter_xarray_get_pages{,_alloc}()")
      introduced a problem on some 32-bit architectures (at least arm, xtensa,
      csky,sparc and mips), that have a 'size_t' that is 'unsigned int'.
      
      The reason is that we now do
      
          min(nr * PAGE_SIZE - offset, maxsize);
      
      where 'nr' and 'offset' and both 'unsigned int', and PAGE_SIZE is
      'unsigned long'.  As a result, the normal C type rules means that the
      first argument to 'min()' ends up being 'unsigned long'.
      
      In contrast, 'maxsize' is of type 'size_t'.
      
      Now, 'size_t' and 'unsigned long' are always the same physical type in
      the kernel, so you'd think this doesn't matter, and from an actual
      arithmetic standpoint it doesn't.
      
      But on 32-bit architectures 'size_t' is commonly 'unsigned int', even if
      it could also be 'unsigned long'.  In that situation, both are unsigned
      32-bit types, but they are not the *same* type.
      
      And as a result 'min()' will complain about the distinct types (ignore
      the "pointer types" part of the error message: that's an artifact of the
      way we have made 'min()' check types for being the same):
      
        lib/iov_iter.c: In function 'iter_xarray_get_pages':
        include/linux/minmax.h:20:35: error: comparison of distinct pointer types lacks a cast [-Werror]
           20 |         (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1)))
              |                                   ^~
        lib/iov_iter.c:1464:16: note: in expansion of macro 'min'
         1464 |         return min(nr * PAGE_SIZE - offset, maxsize);
              |                ^~~
      
      This was not visible on 64-bit architectures (where we always define
      'size_t' to be 'unsigned long').
      
      Force these cases to use 'min_t(size_t, x, y)' to make the type explicit
      and avoid the issue.
      
      [ Nit-picky note: technically 'size_t' doesn't have to match 'unsigned
        long' arithmetically. We've certainly historically seen environments
        with 16-bit address spaces and 32-bit 'unsigned long'.
      
        Similarly, even in 64-bit modern environments, 'size_t' could be its
        own type distinct from 'unsigned long', even if it were arithmetically
        identical.
      
        So the above type commentary is only really descriptive of the kernel
        environment, not some kind of universal truth for the kinds of wild
        and crazy situations that are allowed by the C standard ]
      Reported-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Link: https://lore.kernel.org/all/YqRyL2sIqQNDfky2@debian/
      Cc: Jeff Layton <jlayton@kernel.org>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1c27f1fc
    • Jason A. Donenfeld's avatar
      wireguard: selftests: use maximum cpu features and allow rng seeding · 17b0128a
      Jason A. Donenfeld authored
      By forcing the maximum CPU that QEMU has available, we expose additional
      capabilities, such as the RNDR instruction, which increases test
      coverage. This then allows the CI to skip the fake seeding step in some
      cases. Also enable STRICT_KERNEL_RWX to catch issues related to early
      jump labels when the RNG is initialized at boot.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      17b0128a
    • Kuan-Ying Lee's avatar
      scripts/gdb: change kernel config dumping method · 1f7a6cf6
      Kuan-Ying Lee authored
      MAGIC_START("IKCFG_ST") and MAGIC_END("IKCFG_ED") are moved out
      from the kernel_config_data variable.
      
      Thus, we parse kernel_config_data directly instead of considering
      offset of MAGIC_START and MAGIC_END.
      
      Fixes: 13610aa9 ("kernel/configs: use .incbin directive to embed config_data.gz")
      Signed-off-by: default avatarKuan-Ying Lee <Kuan-Ying.Lee@mediatek.com>
      Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      1f7a6cf6
    • Vincent Whitchurch's avatar
      um: virt-pci: set device ready in probe() · eacea844
      Vincent Whitchurch authored
      Call virtio_device_ready() to make this driver work after commit
      b4ec69d7e09 ("virtio: harden vring IRQ"), since the driver uses the
      virtqueues in the probe function.  (The virtio core sets the device
      ready when probe returns.)
      
      Fixes: 8b4ec69d ("virtio: harden vring IRQ")
      Fixes: 68f5d3f3 ("um: add PCI over virtio emulation driver")
      Signed-off-by: default avatarVincent Whitchurch <vincent.whitchurch@axis.com>
      Message-Id: <20220610151203.3492541-1-vincent.whitchurch@axis.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Tested-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      eacea844
    • Linus Torvalds's avatar
      Merge tag 'nfsd-5.19-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux · 0885eacd
      Linus Torvalds authored
      Pull nfsd fixes from Chuck Lever:
       "Notable changes:
      
         - There is now a backup maintainer for NFSD
      
        Notable fixes:
      
         - Prevent array overruns in svc_rdma_build_writes()
      
         - Prevent buffer overruns when encoding NFSv3 READDIR results
      
         - Fix a potential UAF in nfsd_file_put()"
      
      * tag 'nfsd-5.19-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux:
        SUNRPC: Remove pointer type casts from xdr_get_next_encode_buffer()
        SUNRPC: Clean up xdr_get_next_encode_buffer()
        SUNRPC: Clean up xdr_commit_encode()
        SUNRPC: Optimize xdr_reserve_space()
        SUNRPC: Fix the calculation of xdr->end in xdr_get_next_encode_buffer()
        SUNRPC: Trap RDMA segment overflows
        NFSD: Fix potential use-after-free in nfsd_file_put()
        MAINTAINERS: reciprocal co-maintainership for file locking and nfsd
      0885eacd
  7. 10 Jun, 2022 14 commits